Privacy statement

At Porchlight we help people who have nowhere to go and no-one to turn to; some are homeless, others are struggling to cope with the pressures in their lives and need our support to keep on track. We help people with housing, education and employment, and their health and wellbeing. We make a positive impact on adults, children, families and communities as a whole.

Porchlight is a limited company registered in England and Wales, our registered company number is 1157482 and our registered charity number is 267116.

We need to process data about the people to whom we provide support, and to those who support us through campaigns, donations or volunteering. Porchlight are committed to protecting the privacy of our stakeholders and take care to safeguard it. This privacy statement outlines what data is collected, how it will be used, and what your rights are as a data subject.

This privacy statement is as comprehensive as possible however it is not an exhaustive list of every aspect of data collection and processing. We would be happy to provide further information or explanation about our services, if you have any questions please do get in touch with us, details are in the About Us section at the end.

Why we collect your data and how we collect it

We will collect the personal data or sensitive personal data needed in order to communicate with you and to provide and administer services to you. The type and amount of data collected will depend on the nature of your interaction with Porchlight.

We collect information about you that you give us directly by calling our offices or helpline, filling in forms on our website, attending drop in sessions or events, by completing surveys or forms, or by corresponding with us on social media, by phone, email or otherwise.

We receive information from your use of our website as it collects technical information such as the IP address. Our website uses cookies to distinguish you from other users of our website, this helps us to provide you with a good experience and helps us to improve our website, these may be stored in your web browser or on your device.

We may also receive information about you from third parties; this may be another support agency which is referring a service user to us, from sponsorship forms or fundraising websites, or from other publically available sources.

What data we collect

The data we collect will vary based on the nature of your relationship and interaction with Porchlight.

Your work and education history, including if you were a member of the armed forces

Correspondence or contact you have with us

Your engagement with services

Next of kin or emergency contact information

Details of other agencies or providers you are working with

We may also collect sensitive personal data such as details about your physical or mental health, religion, sexual orientation, ethnicity, race, political and philosophical beliefs, and criminal records.

You have the option to give us a password (e.g. mothers maiden name, place of birth, or memorable word) to add to your file which we will use as a security question if you call us regarding your data.

Calls to our helpline may be recorded and this is for training purposes, to provide quality assurance, to help with complaint investigations, and to enable us to improve the service that we offer, you will be informed that your call will be recorded prior to any data collection.

Donors and supporters

We may collect any, but not necessarily all, of the following information depending on the nature of your support and communication preferences:

And any other biographical information you choose to share with us including relational links

We do not see or store card payment details for any donations made online through our website. Where a donation is made over the phone we will input the details to the same secure websites on your behalf.

We strongly advise against sending payment details by email. If we receive an email containing any payment information this will be immediately processed and the email deleted. Paper donation forms are always destroyed once we have processed and recorded donation details on our database.

If you choose to include Gift Aid with a donation, we are obliged to ask for your UK taxpayer status and full postal address including postcode.

Supporter engagement:

We keep records of your correspondence and engagement with us which may include details about invitations to events, attending events or participation in fundraising events.

If you attend an event we are organising, we may ask you to provide information such as dietary and accessibility information but this is only noted for the purpose of the event and will be deleted after the event.

Vulnerable donors and supporters:

We are committed to protecting vulnerable donors and supporters. Rarely we may also collect sensitive personal data on an individual where we believe a person to be vulnerable in order to comply with requirements under charity law and best practice as directed by the Fundraising Regulator. We will ensure that we do not send marketing and fundraising communications to those individuals through the use of a suppression list in order to avoid sending unwanted materials.

Further information can be found in our Supporter Care Charter, Treating Donors Fairly procedure, and Ethical Fundraising procedure: www.porchlight.org.uk/data

How we use your data

Service users

If you are receiving advice, support, or a service from us we will need to process your data in order to fulfil our obligations to you in providing this service. The information you give us lets us know what support you need, and we keep a record of what support you have been given and how this has helped. We will offer you suitable job, education or training opportunities based on your needs, or may be able to refer you to other services provided by Porchlight or our delivery network which would be of benefit to you.

We will invite you to participate in activities such as service user involvement forums and feedback groups, and will ask for your feedback when you exit our services.

We will use data for statistical reporting in order to assess the quality of our services, to identify trends which help us improve existing services and develop new services, and to ensure we are meeting our contractual requirements. Statistical reports will not include any personal information which could be used to identify individuals.

We quality audit a set percentage of all our client files to ensure that our services are of a high standard and data collected is appropriate and proportionate, files will be audited by Porchlight staff and occasionally external auditors where the service is funded by another organisation (for example a local authority) or where Porchlight is seeking external accreditation for services. All auditors are bound by confidentiality and files will be anonymised if appropriate.

Donors and supporters

Processing and recording donations and Gift Aid:

The processing of one-off donations made on our website with debit and credit card payments is managed externally by Blackbaud on a secure payment transaction website. To protect your credit card information, when used according to manufacturer’s instructions, Blackbaud encrypts personal and credit card information during all transactions. For more information about Blackbaud visit www.blackbaud.com

When you make a donation we will use your payment and contact details, donation amount, date and time of payment to process that payment and take any follow-up administration actions such as sending a thank you letter or email unless you ask us not to acknowledge the donation.

We will keep a record of all your donations, giving history and gift aid details on our secure supporter database, Raiser’s Edge NXT.

Staying in touch:

As a charity providing vital services to the most vulnerable we cannot survive without the trust, confidence, support and generosity of the general public, major philanthropists, the business community, and grant-making trusts and foundations. In our endeavours to seek your support and funding for our work we need to keep you up-to-date with our fundraising, marketing and campaigning news and activities.

We may use a range of activities and channels to contact current donors as well as to attract the support of prospective new donors – including our website, digital platforms, emails, fundraising challenges, fundraising events and receptions, direct mail appeals, meetings and phone conversations.

We will obtain your consent to contact you by email and text message for fundraising appeals and marketing purposes.

We will send you fundraising appeals and marketing by post, on the basis of it being within our legitimate interests to do so if you have donated to us within the last two years, unless you have opted out.

Presently, we only call people for administrative purposes. If we want to make marketing calls for fundraising appeals, we will contact existing donors and supporters by phone on the same legitimate interest basis unless you are registered with the Telephone Preference Service or have opted out of receiving marketing communications. We will obtain consent from all new donors and supporters to make marketing calls.

We will contact you:

with news and updates about our work including our newsletter Porchlight Post

about fundraising appeals and activities including requests for donations, information about gift aid, information on how you can leave us a gift in your will, how you can raise money on our behalf, attend or take part in fundraising events and challenges, and how your donations and fundraising support have a positive impact on our work and service users

with details and invitations about our special supporter events including talks, workshops, seminars, conferences, receptions and functions

We will not use companies or individuals to:

knock on people’s doors to ask for donations of any kind be it cash, card payments or gifts in kind

The legal basis for processing your data

We will ensure that where we collect and process your data we will do so in accordance with the lawful bases defined by data protection laws, depending on the purposes for which we use your data, one or more of the lawful bases below may be relevant:

Consent where we have obtained your consent to use your information for specific purposes

Contract where we have entered into a contractual agreement with you

Legal obligation where there is a requirement for us to record information such as Gift Aid declarations, or accounting and tax purposes

Legitimate interests such as:

Administration and Operational functions – including responding to enquiries, providing information and support services, research, analysis and evaluation, the administration of employment, volunteering, and recruitment.

Governance – including the delivery of our charitable purposes, statutory and financial reporting, and other regulatory compliance purposes.

Delivering services – ensuring safe and effective services are provided which protect both our staff and our service users

Where legitimate interests has been identified as the lawful basis for processing data we will ensure that its use is fair and not intrusive and is only used in a way or for a purpose that you would reasonably expect.

If you do not wish to share your data with us we will be limited in the support or service that we can offer to you and may not be able to provide such services.

We are committed to protecting the privacy of the young people that we work with who are receiving support from our services, where we collect data from those aged under 13 we will always ask for parental or guardian consent.

Where we are working with young people from schools or youth groups in fundraising activities we will ensure that the appropriate controls are in place to protect their data and will only record generic information such as the number of young people taking part or the school/group they are part of.

Research and analysis

Supporter research and analysis:

We take seriously our duty to ensure that charitable donations are spent wisely, and that means doing some research and analysis to inform our decisions, set strategic objectives, develop fundraising and marketing strategies, forecast income and set budgets.

We carry out the following:

Analysing how emails are opened and read in order to ensure we are sending information that is relevant and of interest.

Segmentation – analysing information such as postcodes of supporters. This helps us to tailor appropriate communications to our donors and supporters as well as improve the care we provide you enhancing your engagement and experience as a Porchlight supporter.

Finding other people like you who might like to hear from us – we may use the email address you give us to help find more people like you, so that we can grow our supporter base through our online channels. We use third party services to do this including Google, Facebook and Twitter.

Analysing our supporter base to identify, communicate and engage with philanthropists and people who might choose to give significantly high levels of donations

We may undertake in-house desk research and engage specialist research companies to help us identify and engage with people who may wish to have a closer and more informed relationship with the charity and join our major donor funding programme by making a significant gift.

We will use information provided by you and that which is publicly available from sources such as Companies House, company websites, grant-making trusts and foundations websites, cultural and heritage websites, regional and local organisations websites like Kent Ambassadors, political and property registers, social network sites such as Linked In, and media archives. We may gather information on board memberships, governorships, trusteeships, directorships, patronages, typical earnings in a given industry or sector, hobbies, honours and publically available news on philanthropic giving in articles published in print or online.

This information is vital to help us tailor our communication with you and to ensure it is relevant and timely. It helps us to understand you better so that we can make appropriate requests for significant financial support and send relevant invitations to join meetings, development groups and attend events which may be of interest. It provides a tailored, bespoke, positive experience for prospective philanthropists and high-net-worth supporters. We may also carry out research in this way to identify individuals not on our supporter database who may have an affinity to our cause but with whom we are not already in touch.

Under data protection legislation, you have the right to object your data being processed in this way. If you wish to opt out of being identified as a high net worth individual, please contact our Director of Fundraising & Communications at headoffice@porchlight.org.uk

We are also legally required to carry out checks on individuals who donate large donations, to comply with our duties in respect of anti-money laundering legislation and the prevention of fraud.

Applying to work or volunteer with us

If you apply to work or volunteer with us your personal data will be collected to administer your application, and for equality and diversity monitoring. Personal data on all applicants is held for 12 months, unsuccessful applicant data is disposed of securely after 12 months while successful applicant data will be retained in personnel files.

We will need to share the data of successful applicants who are being offered a role in order to contact referees or to carry out a DBS check (role dependent); our application form requests your consent in order to allow us to do this.

If you sign up for our Job Alerts emails your name email address will be used to send you personalised email alerts with details of current vacancies at Porchlight. We will continue to send you job alert emails and retain your data indefinitely until you unsubscribe or request that we remove your details.

Website and social media

We use cookies on our website, a cookie is a small data file that is downloaded from a website onto your computer hard drive. A cookie allows us to recognise that you have used the site before, but will not contain any other personal data. Cookies help us to understand how we can improve our services to our clients and supporters. Cookies do not allow us to identify users personally.

The Porchlight website uses Google Analytics to help us understand how people are using the site, what information they are accessing and engaging with and so enables us make our site meet the needs of the user.

If you do not want cookies to be stored on your PC you can adjust your privacy settings. All browsers allow you to manage these settings, which are usually found under the “Preferences” or “Tools” menu. You can find out more information about individual browser settings at www.aboutcookies.org

Our website contains links to other websites of interest and we enable you to share information through social networking sites such as Facebook and Twitter. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement.

We may use your personal information to inform relevant third parties such as your internet provider or law enforcement agencies in the that event you post or send any content that we believe to be inappropriate, offensive, or in breach of data protection laws.

Professional contacts

We will collect data on professional contacts and partners with whom we work or to whom we provide professional services (e.g. training). We may send our professional partners information and updates about our work and such contacts may opt out of receiving this information at any time.

Business to business fundraising contacts:

We maintain a record of information related to businesses and their Directors, grant-making trusts and foundations and their Trustees, statutory funding bodies, MPs, local Councillors and other holders of public office in order to undertake fundraising and campaigning activities in furtherance of our charitable aims. This will include a ‘point of contact’ name, a record of contact details such as postal and email addresses, phone numbers and publicly available information which will enable us to develop and manage positive ‘business to business’ working relationships with these individuals and individuals working for these organisations.

Retention of your data

We have an internal procedure which sets out the specified time for which we keep data, we refer to the data retention procedures of local authorities and national bodies in determining how long we will keep data and take into account any legal requirements, legitimate interests, and guidance issued by regulatory bodies such as the Information Commissioners Office. Once the retention period has expired we will securely dispose of data either by confidential waste disposal, anonymisation, or permanent deletion.

Service users

We generally keep records of people we have worked with for up to 7 years after their last engagement with us. There are exceptions for those who are care leavers or have been a looked after child where the law specifies that we must hold these records until the person’s 75th birthday, or where there are contractual requirements in place from funders who may require that we retain some data for longer periods.

Donors and supporters

We will store data relating to donors and supporters who have acted upon campaigning actions for seven years after their last donation or engagement.

If you request to receive no further contact from us, we will keep some basic information about you on our suppression list to avoid sending you unwanted materials in the future. If your data includes your giving history and financial details, we will anonymise the data if it needs to be used for monitoring or forecasting reports.

If you have gift aided your donations, under current HMRC rules we are obliged by law to retain your gift aid declarations and details of any donations for six years after the date of your last donation.

Security of your data

We have appropriate operational and technical measures in place to protect your personal data and ensure its confidentiality, integrity, and availability. All information provided to the charity is stored securely and accessible only to those who are authorised to have access to it. We will take all reasonable steps and measures to ensure that the information you give us is protected against loss, misuse, unauthorised access or disclosure.

In the unlikely event that a data breach should occur, the charity has a data breach procedure in place which details our responsibilities to swiftly mitigate and rectify any breach, and to report to the ICO and data subjects as required.

Porchlight is certified with ISO 27001:2013 Information Security Management which is the international standard that describes best practice for an ISMS (information security management system). We have been certified by external, independent and expert auditors as following best practice with regards to information security management.

Salesforce - we keep all our service user and volunteers data in a secure Salesforce

database, this is protected so that only authorised staff have access to view the records. Our Salesforce database has the ability to carry out “automated decision making”, an example of this is where we would enter a person’s address and it will automatically tell us the nearest support service to them. The automated decision making is based on information which is manually entered by staff and this can be overridden at any time.

Raiser’s Edge NXT – we keep all our supporter data in a secure Blackbaud database, this is protected so that only authorised staff have access to view the records. Raiser’s Edge NXT does not carry out any automated decision making.

HR net – we keep all our staff data in a secure ADP database, this is protected so that only authorised staff have access to view relevant records. HR net does not carry out any automated decision making.

We may use your personal information to inform relevant third parties such as your internet provider or law enforcement agencies in the that event you post or send any content that we believe to be inappropriate, offensive, or in breach of data protection laws.

Disclosure of your data

We will never sell, share or swap your details with any third parties for the purposes of their own marketing or the monetisation of your data.

Your data will only be shared with third parties where:

It is to a secure data processor carrying out processing activities on our behalf

We are required to do so by law, for example to regulatory bodies or law enforcement, or in order to enforce or apply our rights to protect the charity, for example in cases of suspected fraud or defamation

It is necessary to protect the vital interests of an individual, for example where we believe you or another person might be in danger

We have obtained your explicit consent to share it

We are required to share some information with our funders and commissioners for monitoring and quality assurance, and we also use anonymised data for internal equality and monitoring.

Use of data processors

We may use third party suppliers to manage mailing for fundraising appeals, campaigning, to conduct research or surveys, or for secure storage of personal information on our behalf where appropriate technical and security measures are in place.

We enter into contracts with all of our data processors and we require these third parties to comply strictly with data protection laws and will ensure appropriate controls are in place.

Our main processing systems are Microsoft Office 365, Microsoft Azure, Salesforce, Blackbaud and ADPnet, these are cloud services hosted within the EEA. Should you wish to know the current list of third party data processors we work with please contact headoffice@porchlight.org.uk

Transfer of data outside the European Union

In the unlikely event we were required to transfer data outside the EEA this would be done so in a secure manner and only where there is an adequate level of protection for the rights of data subjects in the receiving country, for example the EU-US Privacy Shield.

Your rights and complaints

Porchlight’s Data Subject Rights procedure gives you the full rights and protections under GDPR to access, rectify, erase, restrict, port, object, or complain regarding your data. The procedure and details on how to exercise your rights can be found here: www.porchlight.org.uk/data

To stop job alert emails you can use the unsubscribe link included in every email or contact recruitment@porchlight.org.uk to request that your email address be removed.

About us

Porchlight is registered with the Information Commissioners Office and can be found on the ICO’s register of data controllers under the registration number Z7763784.

This statement was last updated April 2018, if any significant changes are made to the way in which we use your data we will update this privacy statement and make you aware in our next communication with you.